MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8
SHA3-384 hash: 63d7144ac71fa2329d2cb328aec6194fe9a665072957f0e3a45c26d72147ed424b84505f5417b330444817ba04cc1584
SHA1 hash: 908d7fe2ce5be41f4096641dcc7ac0023edb4c94
MD5 hash: 34b2d327ebe6246d844b7a4b8640d4d5
humanhash: india-october-maine-steak
File name:34b2d327ebe6246d844b7a4b8640d4d5
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:31'544 bytes
First seen:2021-06-21 02:55:42 UTC
Last seen:2021-06-21 03:35:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:JsivWH2B6fG7JJvNyWnQrbY5tfkwKw+wph:JxzBiGQBXY5tfkwKw+w
Threatray 293 similar samples on MalwareBazaar
TLSH D5E2D65665917158E6E308B02D52F9343B2CB7B068C4E20EE461864CCF826FB74EDEDE
Reporter zbetcheckin
Tags:32 exe RedLineStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
34b2d327ebe6246d844b7a4b8640d4d5
Verdict:
Malicious activity
Analysis date:
2021-06-21 02:57:09 UTC
Tags:
trojan parasite loader netwire SecurityXploded
Link:
https://app.any.run/tasks/99a38612-45ff-405a-836f-fcdd212972bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46522298.22967.9485.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/615616eb-9497-4cd8-93aa-2c30c3a03901
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805027
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437438 Sample: aveNVNF9VW Startdate: 21/06/2021 Architecture: WINDOWS Score: 100 76 Multi AV Scanner detection for dropped file 2->76 78 Sigma detected: Powershell adding suspicious path to exclusion list 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 4 other signatures 2->82 8 aveNVNF9VW.exe 24 18 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 11 other processes 2->17 process3 dnsIp4 72 apdocroto.gq 104.21.14.60, 49708, 49718, 49719 CLOUDFLARENETUS United States 8->72 56 C:\Windows\Resources\Themes\...\svchost.exe, PE32 8->56 dropped 58 fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe, PE32 8->58 dropped 60 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->60 dropped 64 3 other files (2 malicious) 8->64 dropped 96 Drops PE files to the startup folder 8->96 98 Creates an autostart registry key pointing to binary in C:\Windows 8->98 100 Adds a directory exclusion to Windows Defender 8->100 110 2 other signatures 8->110 19 aveNVNF9VW.exe 8->19         started        23 fdb1n217b2a716347aYpy7b42e8M8jdfM23.exe 8->23         started        26 WerFault.exe 8->26         started        34 10 other processes 8->34 62 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 13->62 dropped 102 System process connects to network (likely due to code injection or exploit) 13->102 104 Multi AV Scanner detection for dropped file 13->104 106 Hides threads from debuggers 13->106 74 127.0.0.1 unknown unknown 17->74 108 Changes security center settings (notifications, updates, antivirus, firewall) 17->108 28 WerFault.exe 17->28         started        30 WerFault.exe 17->30         started        32 WerFault.exe 17->32         started        file5 signatures6 process7 dnsIp8 50 C:\Users\user\AppData\...\aveNVNF9VW.exe.log, ASCII 19->50 dropped 84 Injects a PE file into a foreign processes 19->84 36 aveNVNF9VW.exe 19->36         started        66 apdocroto.gq 23->66 68 172.67.158.27, 49715, 80 CLOUDFLARENETUS United States 23->68 70 192.168.2.1 unknown unknown 23->70 52 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 26->52 dropped 86 Tries to evade analysis by execution special instruction which cause usermode exception 28->86 40 AdvancedRun.exe 34->40         started        42 conhost.exe 34->42         started        44 conhost.exe 34->44         started        46 8 other processes 34->46 file9 signatures10 process11 file12 54 C:\Users\user\AppData\...\CUJDFKOFNN.exe, PE32 36->54 dropped 88 Writes to foreign memory regions 36->88 90 Allocates memory in foreign processes 36->90 92 Hides threads from debuggers 36->92 94 4 other signatures 36->94 48 svchost.exe 36->48         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8/
Threat name:
ByteCode-MSIL.Downloader.Foold
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 02:56:12 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
0024c03b214910f21e99a8444a63a33f07ee1fb54aa63a9d88e4cc97e00d0bb7
RedLineStealer
418905d8597aae629a95472bea24ffab97bf435cbea9bcefe99af7c7a89fb392
RedLineStealer
492823289d0cbc07c789546fda1d7bbee05327c29964f5738f70e82ae7c4f4ad
RedLineStealer
4f54c2e0def0a2a5b478220b3ddbccc3ee2a7302cddbfe0e8e1d394587589d88
RedLineStealer
84858fb9b1e2533886a654de52671d91b9d9d7f77ecc7a883d6f03821376b3c3
RedLineStealer
954988371d8cebea1a69f2c1a47d50b13b9eb82630e5fbc5069105bd12b7b541
RedLineStealer
cb6b64368f82e2596852532158f265a5b5d889abfce8d3025f5c8177f3462e33
RedLineStealer
cd706f1f829de6745dbbbd89ee6297eacd015b18d2705dfa0ff89b6f9290467a
RedLineStealer
cfd58b76ee10d732160ae05b4cb87e95713ad0ef8b17d77f0bb33b31ac4e6e18
RedLineStealer
e111f6f2fa1deba59df581d3c6ef269c3e3628b2649cb728e30092d8d30e258c
RedLineStealer
+ 283 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210621-kbbnfpgy1n/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Drops startup file
Identifies Wine through registry keys
Loads dropped DLL
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8
MD5 hash:
34b2d327ebe6246d844b7a4b8640d4d5
SHA1 hash:
908d7fe2ce5be41f4096641dcc7ac0023edb4c94
Link:
https://www.unpac.me/results/3bdc1b0d-00d9-41df-a6b8-c0c485d65694/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe 519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1384002/

Comments